Last value of each interface in the match phrase query

ElasticLiver · October 19, 2021, 9:41pm

Hi, How can I get the last value of each interface in the match phrase query? I have tried with max timestamp, but I get a time out error

GET /metrics-inf-*/_search
{
  "query": {
    "bool": {
      "filter": [
        {
          "bool": {
            "should": [
              {
                "exists": {
                  "field": "throughput_bps"
                }
              }
            ],
            "minimum_should_match": 1
          }
        },
        {
          "bool": {
            "should": [
              {
                "match_phrase": {
                  "q_interface_name": "Gi0/0/2 on (LM-A1K)"
                }
              },
              {
                "match_phrase": {
                  "q_interface_name": "Gi0/0/1 on (CH-A1K)"
                }
              },
              {
                "match_phrase": {
                  "q_interface_name": "Eth/61 on (LM-N9K)"
                }
              },
              {
                "match_phrase": {
                  "q_interface_name": "Eth/17 on (CH-N9K)"
                }
              }
            ],
            "minimum_should_match": 1
          }
        }
      ]
    }
  },
  "_source": [
    "throughput_bps",
    "q_interface_name",
    "@timestamp"
  ]
}

warkolm · October 19, 2021, 9:42pm

The last value being the one with the latest timestamp?

I'd try a top hits agg if that's the case.

ElasticLiver · October 20, 2021, 1:49am

Thanks @warkolm, I added this an it works

GET /metrics-inf*/_search
{
  "query": {
    "bool": {
      "filter": [
        {
          "bool": {
            "should": [
              {
                "exists": {
                  "field": "throughput_bps"
                }
              }
            ]
          }
        },
        {
          "bool": {
            "should": [
              {
                "match_phrase": {
                  "q_interface_name": "Gi0/0/2 on (LM-A1K)"
                }
              },
              {
                "match_phrase": {
                  "q_interface_name": "Gi0/0/1 on (CH-A1K)"
                }
              },
              {
                "match_phrase": {
                  "q_interface_name": "Ethernet1/61 on (LM-N9K)"
                }
              },
              {
                "match_phrase": {
                  "q_interface_name": "Ethernet1/17 on (CH-N9K)"
                }
              }
          ]
          }
        }
      ]
    }
  },
  "aggs": {
    "top_date": {
      "top_hits": {
        "sort": [
          {
            "@timestamp": {
              "order": "desc"
            }
          }
        ],
        "_source": {
          "includes": [
            "throughput_bps",
            "q_interface_name",
            "@timestamp"
          ]
        }
      }
    }
  }
}

but I only get 3 interfaces from the aggregation, checked the data in discover and all the interfaces exists and has value in throughput_bps.

just checked the hits.hits payload and I get data with values from the missing interface.

Do you know why I only get 3 of the 4 interfaces? thanks.

system · November 17, 2021, 1:49am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.